In my project i am sending a mail to the user to create a user account. I want to enable that link for the first time he/she clicks the link. if he clicks the link for more than 2 times,then it should go to custom error page.how to do this?
This depends on how the link is generated.
For example: If your link contains a username as GET-parameter, then you could simply query your database if the username is already in use. I would advise against that, because the user can easily change that GET-Parameter
I would recommend this: Your link should contain a unique identifier, most likly a hash. This hash is stored somewhere, to garantee it's uniqueness, like in the usertable of your database (a column for the hash of the registration link). That might also come handy, because you could create new user rows and already prefill them with necessary information. You could use these information upon rendering to insert text into the textboxes
Related
If you use Wordpress's built in password reset service it will go something like this:
Click forgot password
Enter your email or username
Receive a link in your email inbox
Click the link
Fill out form
That link you click, will look something like this:
http://yourdomain/wp-login.php?action=rp&key=vqwwSPzf6OK6bUv42XPk&login=natelough
If you try to change the &login to another name, it will reject you.
So, somewhere that 'key' is being stored in some way, and compared.
Where is it stored in the database?
I did an export of the database and searched the db for that string. It returned no results.
So what gives?
That key is generated by hashing a random string. You can see how this key is generated in the WordPress developer reference.
To answer your specific question, when a key is generated it is stored in the users table in the user_activation_key column. Only the most recently generated key is stored (invalidating previous reset keys). The key is also removed from the database once it has been used.
If you are looking to send these keys programmatically, you can generate them when you need them using get_password_reset_key(). That function accepts a WP_User object as its argument.
Depending on what you are trying to accomplish, there may be a more "best practices" way to do it than accessing that function directly.
The password is stored as a hash of the login name and password. You will find it in the users table under user_pass as an incomprehensible string. If the login name is changed, the entered password hashed with the login name will not match the string found in the database where the password was hashed with the original login name.
How can I read a people picker field and query AD to load additional fields related to the person in the field. Example: Employee Name; load information want to load email address, phone number. the InfoPath form is being used with Nintex Workflow and SharePoint 2010.
I have searched and have not been able to find answer.
Thanks
D
Unfortunately I don't have enough reputation points yet to leave a comment, but your question really doesn't provide enough detail. So any answer provided is going to be based on assumptions. You don't even clarify what version of InfoPath you're using.
That said, a good place to start is to create a data connection to receive data. You'll need to select the web service option and will then need to enter in the web server address. The address will probably be in the following format:
http://yourservernamehere/_vti_bin/userprofileservice.asmx?wsdl
Replace yourservernamehere with the address of your SharePoint server. Then, you'll need to select GetUserProfileByName as the operation you need. Just keep on clicking next and then finish to complete the connection.
You will then have to view the data source within InfoPath to see what fields are available and map the ones you want to the fields you want prepopulated on your form.
All this is based on my own assumptions, so I can't guarantee it will work in your scenario. Happy to assist if you still need help and are able to provide more details.
To autocomplete you can use your e-mail or phone number fields, with a new action rule. This is due to people picker fields not allowing any action rules applied to them.
The web service option mentioned in another answer unfortunately no longer works in SharePoint Online. Please use a data connection the hidden User Information List located on the stem of your SharePoint site instead.
Condition:
Use the condition DisplayName is not blank by using "Select a field or group..." in advanced view and selecting your people pickers DisplayName field
Actions:
Set a field's value
Field: User Information List data connection queryFields DisplayName of people picker
Value: your forms DisplayName of people picker
Query using a data connection: User Information List data connection
Set a field's value
Field: your forms email or phone number field
Value: data fields > Work_email / Work_phone of your data connection
I'm building a simple web form which allows user to edit there data like email, emergency contact etc.
The edit form is rendered using Asp.NET MVC 5. Proper html fields are rendered for Id, email, emergency contact etc.
Lets say the request to save the data is received by the following controller method.
SaveData(recordId, email, emergencyContact)
{
;
}
Question: How do I make sure that recordId was indeed the id that was rendered as part of the edit form? We don't want this user to update another user's record.
I have the following options in mind
1. Create a hash of the record id and send the hash as well.
2. Ensure user is authorized to modify the record indicated in given record id.
Is there any other way? Does MVC 5 provide any features so that I don't have to put this sort of logic in my application logic?
Typical approaches are:
Store the ID of the record as a hidden field. If you are concerned with hijacking, encrypt the value and decrypt on the server.
Store the ID of the record in session; this way, you always pull back the record and keep the value on the server. But when session dies, so does the link to the record.
Yes I'd highly recommend check permissions to the record if you store the ID in the URL.
In an MVC application I have a two pages process. On the first page we gather information that will allow us to identify which database record to update. On the second page we gather new values used to update this record. In order for this to work, we need a way to persists information between the two pages, including some record id.
I though of two way to do this and both have some problem.
Store the information in the Session object.
This works as long as the user does not open a second browser window or tab. If he does there is a risk that he'll apply the modifications to the wrong record. Suppose he opens tab 1 and complete the first step. Record id 1 is stored in the Session object. The user then open tab 2 and complete the first step. Record id 2 is then stored in the Session object overwriting record id 1. The user then come back to the first tab and complete the second step thinking he is editing record 1, but in fact he will be editing record 2.
Store the information in an hidden field on the page.
This would solve the problem solution 1 has, but it would be trivial for a ill-intentioned user to change the record id to overwrite any record.
While typing this question I just though of a third solution. That is an hybrid of theses two, but I'm not sure it's completely safe. We could store a random id in an hidden field on the page and use this to prefix the key we use to access data in the session object. I think this would work. Could this be exploited as solution 2 could?
Any other good way to securely store data "per tab" instead of "per session"?
Considering way 2 you may check security server side. If a user does not have modification rights on a specific record then server must not save it. Otherwise he/she is modifying a record that has modifications rights on it and does not matter if he/she is doing it by standard UI or hacking under it.
I think you are mixing up two things - authorization and passing data.
If user is authorized to do stuff with "another record", it's not important if he "tempers the hidden", because he is authorized to change another record as well. Nobody is going to do that intentionally. Means - you just need to check if user is authorized to do stuff in every post from the user i.e. in each controller method (and this is normal practice to always validate all user input server-side).
I would suggest you go with "hidden field".
If you want to separate info in different tabs you should use sessionStorage that differs for each open browser tab.
You can set it like this:
sessionStorage.setItem("perTabValue", "true");
Then you can get your value:
var x = sessionStorage.getItem("perTabValue");
if(x === "yourValue"){
//do anithing you want
}
I've got an old framework 1.1 project with the following problem: if user submits a page then in database duplicated records might appear. This error repeats often but is not consistent: in most cases there are no duplicated entries but in some cases there can be upto 4 of them. We disable submit button with JavaScript after first submission.
May be this would be helpful: there is a session object used to store user inputs (which are submitted).
Any scenarios you can think of why duplicated records can happen?
Many thanks
Finally I found that some mobile browsers ignored JavaScript that disabled submission button and users managed to resubmit form multiple times.
The easiest (?) solution to this is the following:
Create a table "SubmissionTokens" in database with two fields: Token (uniqueidentifier), DateCreated (DateTime). Then, when page with submission form loads, add a token to database and save "id" value in a hidden field on the same page. When user submits the form then read token from the hidden field and see if token exists in table SubmissionTokens. If it does exist then insert a new record with form data in the database and delete the token from SubmissionTokens. You can also use DateCreate field to expire tokens.
At work I implemented a bit different solution and just look for duplicated records in the database before inserting a new record. But this is because there is a specific requirement that user must be able to resubmit form if he clicks "back" in browser. In this case the SubmissionToken is already deleted and the first solution wouldn't work.